Banner grabbing – it ain’t exactly rocket science. It ain’t something the government is too much concerned about, either. In all its essence, it’s all about getting to know what lives on remote target. Be it discovered from open ports or a webpage – it’s always nice to know what we’re communicate with. Much is written about discovering CMS’s and web servers. Today I’ll give you quick intro to banner grabbing SSH. And no, the government doesn’t give a rats ass about it (clickbait o’hoy).

In all its glory you only need Telnet, but I’ll show you some different techniques.

Using Telnet


$ telnet xxx.xxx.xxx.xxx 22
Trying xxx.xxx.xxx.xxx ...
Connected to xxx.xxx.xxx.xxx.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3

Using Netcat


$ nc -v xxx.xxx.xxx.xxx 22
xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] 22 (ssh) open
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3

Using Nmap


nmap -sV -p 22 xxx.xxx.xxx.xxx

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-10-25 16:06 CET
Nmap scan report for xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
Host is up (0.021s latency).
rDNS record for 70.39.65.167: shell.openshells.net
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.15 seconds

Closing words

Using any of these three techniques should yield success. However, there are plenty of tools out there that will do the same job. I’ve tried some of them and found it easier to go along with what’s present on most Linux systems (or Macs).

Advertisements